Internet Gateways

An internet gateway is a horizontally scaled, redundant, and highly available VPC
component
that allows communication between instances in your VPC and the internet. It therefore
imposes no availability risks or bandwidth constraints on your network traffic.

An internet gateway serves two purposes: to provide a target in your VPC route tables
for
internet-routable traffic, and to perform network address translation (NAT) for instances
that have been assigned public IPv4 addresses.

An internet gateway supports IPv4 and IPv6 traffic.

Enabling Internet Access

To enable access to or from the internet for instances in a VPC subnet, you must do
the
following:

Ensure that your network access control and security group rules allow the relevant
traffic to flow to and from your instance.

To use an internet gateway, your subnet's route table must contain a route that directs
internet-bound traffic to the internet gateway. You can scope the route to all
destinations not explicitly known to the route table (0.0.0.0/0 for IPv4 or
::/0 for IPv6), or you can scope the route to a narrower range of IP
addresses; for example, the public IPv4 addresses of your company’s public endpoints
outside of AWS, or the Elastic IP addresses of other Amazon EC2 instances outside
your VPC.
If your subnet is associated with a route table that has a route to an internet gateway,
it's known as a public subnet.

To enable communication over the internet for IPv4, your instance must have a public
IPv4
address or an Elastic IP address that's associated with a private IPv4 address on
your
instance. Your instance is only aware of the private (internal) IP address space defined
within the VPC and subnet. The internet gateway logically provides the one-to-one
NAT on
behalf of your instance, so that when traffic leaves your VPC subnet and goes to the
internet, the reply address field is set to the public IPv4 address or Elastic IP
address of your instance, and not its private IP address. Conversely, traffic that's
destined for the public IPv4 address or Elastic IP address of your instance has its
destination address translated into the instance's private IPv4 address before the
traffic is delivered to the VPC.

To enable communication over the internet for IPv6, your VPC and subnet must have
an
associated IPv6 CIDR block, and your instance must be assigned an IPv6 address from
the
range of the subnet. IPv6 addresses are globally unique, and therefore public by
default.

In the following diagram, Subnet 1 in the VPC is associated with a custom route table
that
points all internet-bound IPv4 traffic to an internet gateway. The instance has an
Elastic IP address, which enables communication with the internet.

Internet Access for Default and Nondefault VPCs

The following table provides an overview of whether your VPC automatically comes with
the
components required for internet access over IPv4 or IPv6.

Default VPC

Nondefault VPC

Internet gateway

Yes

Yes, if you created the VPC using the first or second option in the VPC wizard.
Otherwise, you must manually create and attach the internet
gateway.

Yes, if you created the VPC using the first or second option in the VPC wizard.
Otherwise, you must manually create the route table and add the route.

Route table with route to internet gateway for IPv6 traffic (::/0)

No

Yes, if you created the VPC using the first or second option in the VPC wizard,
and if you specified the option to associate an IPv6 CIDR block with the VPC.
Otherwise, you must manually create the route table and add the route.

Public IPv4 address automatically assigned to instance launched into
subnet

Creating and Attaching an Internet Gateway

In the navigation pane, choose Internet Gateways, and then
choose Create internet gateway.

Optionally name your internet gateway, and then choose
Create.

Select the internet gateway that you just created, and then choose
Actions, Attach to VPC.

Select your VPC from the list, and then choose Attach.

Creating a Custom Route Table

When you create a subnet, we automatically associate it with the main route table
for
the VPC. By default, the main route table doesn't contain a route to an internet
gateway. The following procedure creates a custom route table with a route that
sends traffic destined outside the VPC to the internet gateway, and then associates
it with your subnet.

Updating the Security Group Rules

Your VPC comes with a default security group. Each instance that you launch into a
VPC
is automatically associated with its default security group. The default settings
for a default security group allow no inbound traffic from the internet and allow
all outbound traffic to the internet. Therefore, to enable your instances to
communicate with the internet, create a new security group that allows public
instances to access the internet.

In the navigation pane, choose Security Groups, and then choose
Create Security Group.

In the Create Security Group dialog box, specify a name for the
security group and a description. Select the ID of your VPC from the
VPC list, and then choose Yes,
Create.

Select the security group. The details pane displays the details for the security
group, plus tabs for working with its inbound rules and outbound rules.

On the Inbound Rules tab, choose Edit.
Choose Add Rule, and complete the required information. For
example, select HTTP or HTTPS from the
Type list, and enter the Source as
0.0.0.0/0 for IPv4 traffic, or ::/0 for IPv6 traffic. Choose
Save when you're done.

Adding Elastic IP Addresses

After you've launched an instance into the subnet, you must assign it an Elastic IP
address if you want it to be reachable from the internet over IPv4.

Note

If you assigned a public IPv4 address to your instance during launch, then your
instance is reachable from the internet, and you do not need to assign it an
Elastic IP address. For more information about IP addressing for your instance,
see IP Addressing in Your VPC.

To allocate an Elastic IP address and assign it to an instance using the
console

Select the Elastic IP address from the list, choose Actions,
and then choose Associate address.

Choose Instance or Network interface, and
then select either the instance or network interface ID. Select the private IP address
with which to associate the Elastic IP address, and then choose
Associate.

Detaching an Internet Gateway from Your VPC

If you no longer need internet access for instances that you launch into a nondefault
VPC, you can detach an internet gateway from a VPC. You can't detach an internet
gateway if the VPC has resources with associated public IP addresses or Elastic IP
addresses.